Win95.Padania.1335, W95/Padania, Win95.Padania.1335, Mid/W95Padania, Win95/Padania.1335
PE_PADANIA, Padania, W32/Padania.1335, Win95:Padania, W95/Padania
Category: Computer Virus
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
13 Feb 2007
The W95.Padd virus infects Windows executable files. When a contaminated file is opened, the virus puts itself into memory.
W95.Padania Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer virus removal tool to automatically clean W95.Padania from your computer.
More details about W95.Padania
It is a safe memory occupant parasitic Windows virus. It resides in the memory of Windows, intercepts EXE file opening, hooks IFS API calls, and then copies itself to the extension of the document and changes file's header to get power when contaminated programs are opened. A short virus code is also printed to file PE header. The virus contaminates files in 2 ways depending on the structure of file. If the last part of the file is .reloc or relocations section, the virus overwrites it and removes relocation info in the header. Otherwise the virus appends one new part to the end of the file and overwrites its code.
To get power when contaminated file is run the virus also utilizes 2 ways: it either changes the program's start-up address, or patches the code of the program w/ “JMP_Virus”. In latter case the virus doesn’t get control immediately when a contaminated program is open, but only in case scraped program's branch gets power. To set up its hooker to the Ring0 Windows memory the virus utilizes the trick same with "Win95.MarkJ" virus. It scraps the PE so, that Win95 loads the code to the VMM Ring0 in place of standard memory.